The NetWalker ransomware group claimed to be behind an attack on Philadelphia area Crozer-Keystone Health System, prompting the health care provider to take systems offline.

The hackers are threatening to begin releasing information nicked in the attack in six days, according to a Cyberscoop report. The company, which operates eight medical facilities, including four hospitals, is still investigating the incident.

“The group behind NetWalker malware is particularly egregious and they’re just getting started; we should expect to see more organizations impacted by NetWalker’s Ransomware as a Service (RaaS) in the coming weeks and months,” said Armis CISO Curtis Simpson. “They have been actively targeting the healthcare industry during the Covid-19 crisis and have been posting data to dark web forums looking for affiliates, which are prioritized based on networks that they’ve already compromised as well as their ability to distribute the ransomware at scale.” 

Simpson noted that NetWalker hackers “have released compromised information in recent months to legitimize their threats: approximately 11 gigs of stolen data have been posted to a public blog.” The toolkit associated with NetWalker “includes lateral movement capabilities, which means that the ransomware will attempt to infect other accessible devices,” which “vary by environment” and “will include unmanaged devices of many forms.”